Last Friday, a piece of malware began doing the rounds in the UK, locking PC users out of their data unless they paid up a ransom in Bitcoin. It then spread to Spain and eventually more than 150 countries, affecting not just individuals, but also over 10,000 organizations including the UK’s National Health Service.
The ransomware in question, now known as WannaCry, is believed to have used an exploit found in leaked data from the US National Security Agency (NSA) and could have affected far more systems. Thankfully, a 22-year-old security researcher put a stop to that with a $10 purchase.
Twitter user MalwareTech, who wishes to remain anonymous, told The Guardian that when he looked into a sample of the malware, found it connected to a specific domain that wasn’t registered at the time. So he bought it, and that effectively activated a kill switch and ended the spread of WannaCry.
While MalwareTech’s purchase inadvertently saved the day, we may not have seen the end of WannaCry. He believes that it’s almost certain that a second piece of ransomware will begin doing the rounds soon.
Speaking to the BBC, he said:
We have stopped this one, but there will be another one coming and it will not be stoppable by us. There’s a lot of money in this. There’s no reason for them to stop. It’s not really much effort for them to change the code and then start over. So there’s a good chance they are going to do it… maybe not this weekend, but quite likely on Monday morning.
With the first version of WannaCry forcing people to pay $300 in Bitcoin to regain access to their files, there’s certainly plenty of money to be made from ransomware. And it could definitely get worse. There’s already talk of variants of WannaCry beginning to do the rounds.
Version 1 of WannaCrypt was stoppable but version 2.0 will likely remove the flaw. You're only safe if you patch ASAP.
— MalwareTech (@MalwareTechBlog) May 14, 2017
The company’s president and Chief Legal Officer, Brad Smith, noted that Microsoft issued a patch for the exploit WannaCry used more than two months ago – and still, systems across the globe remained vulnerable. He wrote:
This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.
The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.
Smith is right: exploits hoarded by a government agency could be leaked or stolen and misused, and we need to recognize them as the horrific threats that they are. The next time something like WannaCry hits the internet, we may not be so lucky as to fix a worldwide virus with an online purchase.